[pmwiki-users] Editform: clearing a page text variable, escaping directives

Petko Yotov 5ko at free.fr
Sat Apr 28 10:58:16 CDT 2007 

On Saturday 28 April 2007 17:02, Patrick R. Michaud wrote:
> > If people really use empty input boxes to modify existing, non-empty PTVs
> > (I still cannot understand why), then probably PmWiki could detect if it
> > had or had not pre-filled the form with values ...
>
> It is _very_ difficult for PmWiki to know if it has pre-filled out a
> particular form with values.  Doing so requires keeping quite a bit
> of session information around for every form that PmWiki generates,
> and this session information will tend to grow without bound the
> more a particular author interacts with PmWiki.
>
> Also note that simply viewing pages containing a form causes the
> session to grow, whether the form is filled out or not.

I was thinking not of session data, but more of a hidden form field as in:
   (:input default request=1 source=DataPage:)
   translated to:
   <input type="hidden" name="_ptv_were_prefilled" value="1"/>

when there is a "source=DataPage" parameter, it was pre-filled.


> ...
> > > But converting "(&#x3a;" back to "(:" upon edit would defeat the
> > > purpose here.  Suppose a malicious person uses a form to insert a
> > > directive into a page -- it gets converted to "(&#x3a;" and so far
> > > we're safe.  Then, a privileged author comes along later and makes
> > > a minor edit to the page.  If the "(&#x3a;" is converted back to
> > > a "(:", and our later author doesn't notice this, then the malicious
> > > author will have succeeded in getting a directive added to a page.
> >
> > I did not mean in the wiki source, but in the editform's input-boxes
> > (PmPhilosophy n°1) but currently I cannot see how this could be done.
>
> The problem is that if it's in the editform's input-boxes, then
> when the author (re-)submits the page to PmWiki we cannot know if
> the "(:" that comes from the text field is because we previously
> converted from (&#x3a; or because the author really wants a "(:"
> to appear there.
>

I understand what you mean, however this is still a puzzle: what if 
the "advanced" editor adds "(:" in the page source? It will display "(:" in 
the input box, and then, when saved, will transform into "(&#x3a;" and 
eventually will break something.

For me, the most consistent behaviour would be, from a posted "editform", to 
always escape "(:" inside PTVs, advanced editor or not. If it is always 
escaped, there is no problem, only in the "editform" mode, to "unescape" back 
the "(&#x3a;" into "(:".

Hopefully, we will have more ideas to brainstorm. :-)

Thanks!
Petko

More information about the pmwiki-users mailing list